During the reconnaissance phase, the attacker finds out the information she needs to actually get in: what traffic the firewall lets through, what hosts are in the network, what services they actually have running, etc.
Passive Reconnaissance refers to gathering information, often indirectly, in a manner unlikely to alert the subject of the surveillance. This is the natural start of any reconnaissance because, once alerted, a target will likely react by drastically increasing security in anticipation of an attack. This is like casing a place prior to robbing it.
Active Reconnaissance refers to gathering information while interacting with the subject directly, in a way that usually can be discovered. While passive reconnaissance is like casing a place, active reconnaissance would be actually trying to open doors and windows to see which ones are unlocked.
Social engineering is the term used for a broad range of malicious activities accomplished through human interactions. It uses psychological manipulation to trick users into making security mistakes or giving away sensitive information. Social engineering attacks happen in one or more steps. A perpetrator first investigates the intended victim to gather necessary background information, such as potential points of entry and weak security protocols, needed to proceed with the attack. Then, the attacker moves to gain the victim’s trust and provide stimuli for subsequent actions that break security practices, such as revealing sensitive information or granting access to critical resources.
References
- Cooper, Joel. 2006.”The digital divide: The special case of gender” Journal of Computer Assisted Learning 22: 320-334.
- Federal Bureau of Investigation. 2017. “Internet Crime Report.” Retrieved from https://pdf.ic3.gov/2017_IC3Report.pdf.
- Jethwani, Monique M., Nasir Memon, Won Sep, and Ariel Richer, A. 2017. “’I Can Actually Be a Super Sleuth’: Promising Practices for Engaging Adolescent Girls in Cybersecurity Education” Journal of Educational Computing Research 55(1): 3-25. Retrieved from https://doi.org/10.1177/0735633116651971.
- U.S. Department of Labor. 2014. “Computer and information technology occupations.” Retrieved from http://www.dol.gov/wb/stats/Computer_information_technology_2014.htm.